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METHOD AND APPARATUS FOR T KA< IN C PACKEJ SH ASH-BASED SYS IT Ms 
AND METHODS FOR DETECTING, PREVENTING, AND TRACING NETWORK 
WORMS AND VIRUSES 



Field of the Invention 



worms and viruses, and tracing their paths through a network, 
Descr iption of R elated Art 

Availability of low cost computers, high speed networking products, and readily available 
network connections has helped fuel the proliferation of the Internet. This prol iferation has 
caused the Internet to become an essential tool for both the business community and private 
individuals, Dependence on the Internet arises, in part, because the Internet makes it possible for 
multitudes of users to access vast amounts of information and perform remote transactions 
expeditiously and efficiently. Along with the rapid growth of the internet have come problems 
caused by malicious individuals or pranksters launching attacks from within the network. As the 
size of the Internet continues to grow, so does the threat posed by these individuals 

The ever-increasing number of computers, routers,, and connections making up the Internet 
increases the number of vulnerability points from which these malicious individuals can launch 
attacks. These attacks can be focused on the Internet as a whole or on specific devices, such as 
hosts or computers, connected to the network. In fact, each router, switch, or computer 




he fie l d of n etwork security and, more 
eadsvstems and methods for id e ntifyingdetectm^ 
ismission of a-pft e feet^ n malicious packets, such as 
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connected to the internet may be a potential entry point from which a malicious individual can 
launch an attack erema ely undetected. Attacks carried out on the Internet often 

consist of malicious packets being injected into the network. Malicious packets can be injected 
directly into the network by a computer, or a device attached to the network, such, as a router or 
switch:- "Sue4 - a"et>i^t t t e ^"er - d&v% e- J „can be compromised and configured to place malicious 
packets onto the network. 

|WJ4 most pub l iciz e d forms of n e twork attack s oft e n in volve placing thousands or 

fniHieflS-ef-paek-ets-onto the n e twork using a practice known m fkxxting. The tlood - of-pac-k e ts 
can be target e d to a specific d e vic e on th e network, for examp l e a corporate w e b site, thus 

design e d to clog the links, or conn e ction points, b e tw e en n e twork components. Network attacks 

bogMS-fete r ne t Pro tocol ffi*)-«d& ! &ssefr ; w^ t he pa ck«ts----oi-ig-ins 

imposs&le4o-tfeterm^ 

enflaut ed a tet4Hmpie iel oned t»-6&-tF£HWfamation*-"WMm a pack e t is transfer t n e dr i t 
undergoes a process that chang e s the original packet into a new pocket; as, for example, would 
happ e n du r ing tunneling or network addr e ss translation (NAT). Locating th e origin of a n e twork 
attockis-f ur ti i e r eorof&egted-feeeagse-^a*^^ 
a t taeky - fnid t ipfe-n e twef^ ^ 

A distributed attack is one that is launched essentially simultaneously from several locations 

f0#lj Ne t w^t#a t ^ 

d ^ yH » f e- € ^ j^ ^ 

extremely difficu l t te d e t e ct- s ingle pack e t at^ 

data, currently, must be analyzed aft e r the fact to d e t e rmine if a singl e pack e t attack was th e 
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|003j Muc l u'f the difficultx in ul e nni % - ^e-> becaus e the 

ft# e fft e fr«ffift^ft-a-stflte1es3 roHtit%-«rfr-ft5toe^ 

sol e ly on d e stination addr e sses. Although source IP addr e sses may be transmitted with data, 

«o- w mtlarity4o4he- « e^^ 
t e e 4 i« r ky« ^-a .^^ 

packets at 4m nltimrte d e stination dev i c e rather t hart ■ attempting ' to locate their origin- Such 
tM-ig-ie"i - B"i - &fe«- e d"to - aS ' an entry point, also referred to as an ingress point or imniskm4<mtiwfk 
onto th e n e twork. Failing to identity th e source address of malicious pack e ts inhibits preventing 
fn^hef-a$t£rek%and^tt^ 

Hial ' teiouS ' pa.ek e tS; Tvt'0 prior art. autonomous syst e ms ar e s hown, PASS and PASSy ' r e spectiv e ly ; ; 

et>a tte e - t e 4 -t ^ ^ ^ ^ 

a^rK>nmts-^y^tea^^ 

B4 - H5 for PAS2, resp e ctive l y. An AS is normally connect e d to th e public n e twork by one or 
■ fer t et i ena l ity - . - 

f0#£j Border routers contain routing tables for other"fetrtef$--within4he-A-S - -and4ef 

routers within the public n e twork that ar e conn e ct e d to th e AS by a link, i.e. a communicative 

ee« B » e efe t ear4^HR^r4-rR4 i»al^^ 

fepfe s eM a tive^iA 

« y e- iaed - *»«^ 

d^ir^d-4e s faafkM-ad4r- e ssr 

Firewalls are typically installed between a local area network (LAN), or intranet, 

and-difr-kiter-netr-or-pubye-network' Pkgwal-ls-aet-as-gatelt^ 
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certain packets in whiio excluding other packets. Firewalls may be implemented in routers or 

R-Bb-^»-ftf e -ti6 e d-by-l t f e waU5"to4 e tef»^« e- wh - ie - h - packets will be aiiow^d-tnte-thett-f- ee p e c^v e 
AS-and^ S i ne e -Hifcs-d e i^^^ 

updat e 4-0« HV f e gnIar4K ^ 

$&f\ Additional -prot e ction for an AS may b e obtained by supplem e nting herd e r meters 

and-fe&ways wkfe i etru - vion det e ction systems (IPSs). IDSs also use rule - based algeethnB-to 
det e rmine if a given pattern of network traffic is abnormal. The g e n e ral premise uoed by an IPS 
is4lMt-^4kim^ 

traffic. Using a rule set, an IPS monitors inbound traffic to an AS. Wh e n a suspicious-pattern 

fkewali-to-modif^ 
a€4kms~nmy4nehrt^^ 

a particular s ourc e ■■■ addr ess- ; - or di s card i ng pack e t s addr esse d te a part i enlar d es t i nation- fu f ig ) . 
IPS! is used to protect PAS I and JDS2 is used in conjunction with F \ to protect .PAS2. 
AifflOHgh-befdef--.^ 

th e y r e ly on rui e- based look up tabl e s containing signatur e s of known thr e ats. In addition, 

b i -mie 3 H ; onters r fe 

i ngfess4e^a $ i^»refn^^ 

pae k ets- be^ a i ^ p ^ ^^^ 
tm 4-$ w i fc& es r b e4 e^ ^ 

inferrnaiien about e ach link trayers e d by a pack e t; T-e obta i n t l *i» information^^ 
ret*M i ft -- w^ 

information about, or a copy of e ach packet trav e rsing a network. With high- speed rout e rs 
i^wnggtgahn^t>fdatape i- s e i: > : > nd --T ; ^ - i fe-ttn -- e^o4 - paeket s -4s--not-pt : aetkal-. - 
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{009] What has been ne e ded and what has not b e en available is a method for identifying 

fe«%ift-e&ft^^ 

addresses all shortcomings of prior art prot e ction t e chniqu e s. Embodim e nts of the present 

SU MMA RY OF THE INVENTIO N 
pM-0f Embedment s - o-f^^^^ 

into a network. More specifically, in a network including multiple hosts and multipl e roar e rs for 
feei-litating transmission of packets on a network, a system, for example, is employed for 
dete?mir4t^ 4fte - fK^ ^ 

intrusion d e t e ction system isol ates th e maliciou s packet and th e re b y de t e rmin es t h e point of 

ea&y-e &fa e maliciott»iHK?ke ^ 

s«fve«Betedes-a-r«ea«s4^ 

on fr tep-a -way. in stilt a4«dn*rHiHBbe<fe^ 

for e stablishing a bit map of hash valu e s representativ e of packets having pass e d through the 

fesp e e#ve-fenier- r ary--^^^ 

t h e 4Mish - ¥aia e s - ef^ 

fO044J to - a - ft i r t h e r - asp e et - ^ 

where- at-least one of the packets is a target packet, the network includes at least one network 
eenipon e ntra-d e t 

server; A tperyines 
messag&4deftti.fes4^^^ 
feem4fee-4ffsH>etw^^ 
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contained therein. And, the information b used in a manner that allows die omry point of the 
1 001 2 1 fa- yet -a- further aspect of th e invention, in a n e twork carrying a pfarality of 

header p&vtkm 4m\\dm m\ addr e s s of th e network component And, a body perti on 4 mkalm -at 
kaM-afertioft ef-the target packet, th e body portion b e ing compared to corresponding 
representations wher e a match betwe e n a portion of th e target pack e t and on e of th e 

|W43| fes* 4 ti - a - fet^ 

about a subset of the p l urality of pack e ts having pas s ed through th e n e twork compon e nt. -Th e 
tt e t - wofk"€< » H^ 

n et we - rfe- A- data strnc4 : a*eH&efed4r^^ 

A network component id e ntification attribut e corr e sponds to a location of th e n e twork 

a^mj»na&:"-A4afg ^ 

a t tH * H i ( t > - ass < x*a^ 

lBdkateg--thaH^ 

pM4| fe4»a#w^ag e ^ ^^ 

networks; A feri^ 

^m^eteeted-m^kkHts-pack-ete-ffl a network. A stil l , further advan t age of tfee-iaveafaeft-ts-fetf-k 
d^teet s - it» 4 ieim * s - ff^^ 
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devices thus enhancing network security. Another advantage of the invention is that it 
effi^ien^-uses-stef^^*^ 

j0015| it is thus a genera i object of th e pres e nt invention to provide improved packet 

|0016| it is another object of th e pr e s e nt inv e ntion to e liminate problems caused by 

m«ik%^i»^€ : fe ete 4« -- a - ft et ¥^Fk~- 

f0017| l-t-is-a-feth e r - ehj e et - ef the pr e s e nt invention to identify malicious packets to 

laeilliate-id e fttil^ 

f001-8j &4»»foi#Ha i -e%f^^ 

rnai ieiens packets wh e n distribut e d attacks are launch e d again s t a ' network . 

jO043| fets-yeta-ft^^ 

krfemat 'i e r v ft he i if^ 

pft2Sj Farther object^ad--aet¥^tage&-e#^ffeg^Hm^^-witl--^0t»e-ia^ 

eenjuneiien ■ with the a ceentpany i ng ■ drawings ' in which: 

BRIEF DESCRIPTION OF THE DRAWINGS 
( 0 0 24 j F - i - g:'44» - a- h^ 

P»g~ - 24» a 44t^k^ ^ 

operating in conjunction with an Int e rn e t network; 

e x - t e rna l -r te twoFk -sf 

{0024} Fig. -A is a flowchart .illustrating an e xemplary method for use with a source path 

i s fc4at - ien - -s e F¥ e r-; 
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{0025} Fig. 5 k a schematic diagram of an ex e mplary data structure for storing 

techniques; and 

{0026J Fig. 6 is a block diagram of a g e neral- purpose computer configurabl-e-for 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENT 

|0937j A - pr e ferred -e mi^ ^ ^ ^ ^ 

neiworkeotnpon e nts. or d e vic e s^ mch m t\ muter within an a utonomeus s ystetn f AS- ) ■ ■ to 
determine the ingress point; or location, for a malicious packet (MPl). Pig. 2 illustrates an 
er*&odir mm4 * ia t- r«a^ 

bfok e a-HHo -t hf e e - g e ncral areas enclosed within borders with communication media., such as 
IMcs^earrying data traffic across th e n et work, conn e cting th e general are as: LiEks-s e rv e as a 
^aasfi»s&«^ 4B e 4kt4 - et^ oomprised-eSwkereptieftl 
fibefy-radk) fr e quency (RF) transpond e rs; or th e - like - . 

(0028} The rightmost portion of Fig. 2 denotes an AS, shown as AS 1 , enhanced by the 

addit i on o f a 

t» . W erk"^ A l se-metad e d 

■widyrHA S l---^ 

host computers H1-H3. I PS ! may take the form of a commercia ll y a va i lal>i e - i;9S-; - er 
a&emat4¥e ly4t-n^y4>e -d^^ 

aftd-« ; te d»dS"-4&S»-a - nd firewalls ate well known in the-^-and-wiU not be desefibed-ift-detail 
herein. An informativ e sourc e of information on IDS and fir e wall functionality that may be used 
with the d i sc l os ed e m b odiments can be found in Firewalls and Interne} Security: Repelling the 



(0029| 


kcr t by William R. Cheswick and Su-wr, M. Bellowin, Addioon We-sle 
SSf4B«y43eeefflpt4sed-efa-^ 


y{1991), 
opomttvoly 


eoapled-4 




^e--perfem* 
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source path isolation, in conjunction with SR 1 ■ i" and IDS j . White SSI and IDS1 arc shown as 

bot^inft-tisien-de^^^ 4- 1 7 may b e compf- i s e d-e-f -eom t iaefgta - Ijy 

avaifehle-rotiter s re^ 

ear Tying -traffic b e tw ee n the an tonotnoo s s yst e ms r narn e i y I AS I . and AS S v and AS 3 : PN 4 
eetHpfjse&-f««t«y&-R-2 • R.6> Links operatively coupling the routers making up PN% andlinks 
attaching to ASs coupl e d to PN 1 - PN1 may aloo comprise computers ext e rnal to an AS (not 

isolation routers (SRs) ar e denot e d as Rx, such as thos e locat e d in PN1 ; wher e x is a --number 

|0031j The lower portion of Fig. 2 includ e s oth e r autonomous syst e ms, : AS2 and 

$ka*H a aay4 3e-ep e *a** ¥el^^ 

( 0032) Th e ie fenost port i on-ef-Figr2-showS ' ■■ aR-a^tOBe ' mous- syste m-ftA.SO us e d4>y-aa 

■ m^adef"tt» - kutnch ajHmae&eEH^Hr-4A^^ 

t€Hfeee4^est-«e«a^^^ a s ing links : In Fig 2 ; Li ha»^ e tv€erfigHF ^ d- ' Stie^#>at4t 

places a malicious packet. (MP1) onto IAS1 for trQtHftw^t&«4e--A-S-l"-via"PNj".""\^Hte-Ptg:"2 

othet-hardware ca p able of placing machine-readable da^aH3«je-frft e *wef i e-*aa^^ 
ef"ef4ft - € - onp«6 t k>ivwkh -- ^^ 

ent-e-a-n e twefkv-it"i& referred to as an intruder or intruding device. 
f#0££| TtvteiiHe&an-attackT^ ^ 

■ a4tak-fe>r-tfaBS«Hs e k>n to one or more destination devices having respect- i ve-il es t-ka^oE 
addresses. In Fig. 2, the heavy Hneo are used to indicate the path taken by M P1 , namely II to 
IDS2 ; IDS2 R6, R 6 R3, R3 R2 , R2 SRI 5, SRI 5 SRI 6, a nd SR16 IDS! (wh e r e hyph e n atio n 

implies operative eonphng betw ee n- n e tworfe-eonipone - nt s ); ^fee thiek dashed link #om IQS i IM 

d e nete s - the intatded iHith-te the targeted device IB. 
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|0034| Det e ction and sourc e path isolation of NIPS may b e accomplished as follows. 

D e t e ction d e vic e , h e r e I DSL id e ntifi es MP] using known methods. After d e tecting MP I , ID S1 
gen e rates a notification pack e t, or trigg e ring ev e nt, and s e nds it to SSI thus notifying: SSI that a 

portk>« s 4hereef#leng wi-^ 

encapsnlation info^ 

b e en4d e ntffled and forwarded to SS I it is r e ferred to as a target packet (TP1) becatee it-4> e eemes 
th e targ e t of th e source path isolation method farth e r d e scribed h e r e in. 

SSI may then g o n o ratc a query message (QM 1 ) containing TP1 , a portion thereof, 

er-^eprese n t ati^ 
bfeffltatioft-ak)^ 

s- end ' QM l to participating routers located one hop away; how e v e r the disclos e d invention is not 

Mmke4404H- ag le --hep S : 1 F - of-« - >HMft f >^ ^ ^ 

SR47" a fe4wo - hop$ - aw^ 

receives QM1 from SSI, SR .16 det e rmines if TP1 has boon scon. This determination is made by 
e - empawng TP l w4&-a4afebase-eefl^^ 

e ncount e red, a pack e t when th e packet is pass e d from one of its input ports to one of its output 
(0036) To determine - if a pack e t has been ob s erv e d, SRI 6 firot s tores a r e p rese n ta tion of 



■i"P-l"-eenta-ined in QMI . Typically, a representation of a packet passed through SRI 6 will not b e 
a copy- of -the ew^^^ 

tn>iq* ^- ¥ak ^ -^ S l ne e - f ^ 

second^ storing 

I n contrast, sto r ing a v a lue representative of the contents of a packet us e s memory in a mor e 
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allows the entire packet to bo uniquely identified. A hash value, or hash digest, is on example of 
is-coiBfmted-Mre s s- e a^ 

difest-niay-W IJsifig4h e - ' -d^^ 

j ^ sing-feengh-a-;^^^^^ 
i^femttrt i #n - -a^^ 

pack e t has not been observed, and that will r e spond positively (i. e . in a predictable way) when a 
d e iwiag - r e pr e s e ata^^^ 

ex e mpfafy"f e pf e s e «tattofts -- ef - j>aek e fe"hftvmg passed through a participating router. 

■ jttfem t-S S 4 v B u t if S R 16 has a ■■ha6h--ata^ehiag--1^4;-it--fflay-i?&»c4-a-Te$fte^e-te--S$-l-- indie - atang-t - fcat : 
ths-ftadfcefr^atH*!^^ k^addid^ 

routers 1 hop away. In Fig. 2, SR16 sends QM1 to SRH, SR15 and SRI7. Then, SRH, 15 and 
17 determine if they have seen TP'i. and notify SSI accordingly. In this .fashion, the query 
message/reply proc e ss is forwarded to virtually all SRs within an AS on a hop-by -hop basis. 

f0O38| In Fig. 2, routers SR 1 1, SRI 5 and SR 17 are border routoro for AS I, namely they 

ar e th e rout e rs that contain routing tab le s for routers outsid e AS I . If rout e rs external to AS i 

47t - he^w r iftlH^ 

-When-theS R -ek* ^ 
by^fee4fm«le*Hw4fe^^ 
Protocol (IP) address ona-pa^ 

f*M>39| Still referring 4 -and th e foute taken by MP1 tithe routers making up P - Vl 

are-not^artieipato^ 
: £P T presej&*a ^*4n j H^ 
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routers making up PN1 wore participating as SR.-. then R6 could be instructed to exclude TPs 

|0040| Th e proc e ss used to perform source path i s olation in Fig. 2 is referred to as an 

que«e s 4R>m-^ 

figure 3 

|W44| F4g : - 44 l ^ 

d e noted g e afifaHy-a s B connected to external networks EN1 --EN7, other rout e rs within 300 
connected to the border routers generally denoted as A, and a source path isolation server 
deaete d - as-SS - . AS - £00 - n>ay - ^ 

outward one hop at a tim e until th e border rout e rs, B, ar e r e ached. For Fig. 3, the routers-lab e led 

Arage-qaefied on the 4 «sfclrep~a*Kl4l^^ 

hopv - "SfflC -e- t he4eeatie»^^ 

ai^>4>e-e*Bpleyed-— 

i H"twm - q ; u eiy the routef-s labeled A. As can be s e e^fren-r-Fig-.---3 v -an--^ 

jpyeggesa g^y^iese^ ffhe^fee i es e d- te ekR^^ 

containing virtually any number of participating routers. While inward - out and outward- in 
t^4«y*}-ues4m' e -^ 

r^ttt^ » 4ee - at^l--^^ ^ 

teetekfues^n%eenffi^^ 

a%d-& e jabte? 

{0043-1 Puithef-detadeT^^ 

j ^d*4 s ek*fe>n^^ 

EXEMPLARY METHOD FOR SOURCE PA TH ISOLATION SERVER 
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{00 4 3J Fig. 4 illustrat e s an exemplary m e thod for accomplishing source path isolation. 

The method begins when SSI r e ce i ves TPI from IDS 1 op e rating wit h in AS I (st e p -1 0 2) . 
|00 4 4 j A4tern?eee f¥k»g44M- ^ ^ 

Examples of additional information that may he includ e d in QM1 are, but ar e not limited to, 
enoFyptien&ey^ 

away (step 406). SR. may then process QM S by hashing TPI contained ther e in and comparing 
the resulting value to hash values stored in local memory, where the stored hash values identify 

1110451 Aft e r proc e ssing QM1 , an SR. may send a r e p l y to SS I (st e p 408). The response 

tnay indicate that -a queried router has seen TPI ^or alternQtlvely: that it has ftot (step4IO).— : fa"k 
i-fflfM>rtam--tt>-el»er-¥^^ 

not hove a hash matching TPI , SR. ha s definitively not seen TPI . However, if SR has a matching 
hash, then SR has sees TPI or a packet that ha s th e same hash as TPI . When two different 
paelvetev-h3*fflg--di-fe 

ffl046j lf-a-que«ed"SR"ha^ee tt - T4 ? 4 ^ 

fespeet»ve4>&*HM^^ A4 t emaft¥ eiy r i £^ 

TPl r tbe - ^ Repl ie s r e c ei v e d #om qtieried SRs 

are used to but id a source path trace of possible paths taken by TPI throngh-t^-aet-wofk-ttsiag 

known m e thods (step 416). SS I may then att e mpt to identity the ingress point for TPI (st e p 

4 4%-4l : SS-f%-a*Hi^ 

paftieipamg-^ 

a-g-a-ia-( : s t e p-424)v 

fQ9 4 -?j £xaH»ple»«fc^ttfee-pa^ 

embedimente-di s ele s ed-her e in-ar e -btita 

se arch- - fa- - a-h^adtfa^ 

Im^e-obse^ ^ l-a-t^ 
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the responses received by SS 1 . Whore the nodes indicate locations that TEH may have passed, 

A«y -- gra : phs - ^ntajm^ 

p&tlw r i;ey-j>athMhat - ^ 

knMten-^ Sfts - % s tt^ 

p^in* s 4^ - ^^ 
r ^ pen ^ l- w ife ^ pesi^ 

ouH^&ep^^ 4feproe es ^ 

routers hav e been qu e ried or al l SRs in a round respond with a n e gative r e ply indicating that th e y 
h a v e n ot o bs e rv e d Tin. When a negativ e r e ply is r e ceived, it io as s oci a t e d ao in a ct i ve path d ata. 
j(M>48| WfeeflrSSI^MK^detegmitoe^^ 

1PS1 indicating that a solution has b e en found (st e p 420). Oft e n it will be desirable to -have the 

mge es &fw fth -using ktH?w«-te6hj i>qtt e s - -(8t e p - 4S3->.- SSt-t«ay-al »o-af ch i v e p afe^«t k>ns;-ito. -- s e »^ 

data f e e et v e d; and th e l i k e ei th e r l eea l ly er f e mQt e ly: Furth e rmor e ; SSI may eernmnnieate 
iftfo n n a-t-i on about source path isolation attempts to devices at remote locations coupled to a 
n e twork. For exampl e , SSI may communicat e information to a n e twork op e rations c e nter 

[00 4 9} Her e it is not e d that as SSI attempts to build a trac e of th e path taken by TP], 

tadiea^iea-to i ^9-4 e siF e ^P^ k t& k ee n - e^ 

e a n -be mitig a ted 

value decr e ases- Anoth e r mechanic 

value and setting a single bit for an observed pack e t, a plura l ity of hash valu e s are comput e d for 

ea£4frel^ e r^ e d-^a^k^ 

ftumb e i> -< >i"imjqu e 4^ 
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hash tabic at a faster rate, the reduction in the number of hash coUiatons makes the tradeoff 

EXEMPLARY DATA STRUCTURE FOR STORING TRACE INFORMATION 
ceafiHK4ief.v-w-ife- ^ 

da t a st r uct u re, it will be obvioua to those skilled in the relevant arts that a plurality of data 
structures may b e emp l oy e d and that th e data structures may includ e additional parameters and 

param e ters, having data associat e d th e rewith. In the upp e r l e ft portion of Fig. 5 ar e -three 

Ta^e^44Vfrt*me^ 

t naehk ^ y e adab leH*^^ 

or firewall Time may be us e d to id e ntify e ither the time at which TP was r e c e iv e d at an SS, the 
soweeH«ay45ei«sed-«^^ 

{0052} Within 500 ar e ex e mplary column h e adings indicating s till other attributes that 

identiffe a tien a tte^^^ 

rou ters , s witche s, b ridges, or the like, within q network that h a v e been, q ue r ie d by SS. Link may 

be~n ^ l484d e m-ity-- ^ 

shf>wt* - a» ^ ^ 

may indicate th e time, pr e ferably using some common refer e nce, at which a resp e ctive node 



15 



In re, U.S. 10/654,7? 1 Changes made to 09/88 i ,074 to create 

ClPapp 1 0/25 j. 403 

observed TP. Time is useful for assessing how long TP has been in the network and for 
p e f - fer - mmg-eei^^ 

itsed-fe-tmefe-vaf- i fta^^ ^ ^ been 
tr-ansferHmed: r tf-m^ Fer-eMample 

St a te s -may-o e -^ ^ d^^^ 

' .M i " may indicate thai, a link has b e en disab l ed to e xclude data traffic. 
\mu\ Fig. 5 illustrat e s on e exemplary embodiment of a data structure that may b e us e d 

of records may be readily emp l oyed without departing from th e spirit of the inv e ntion. For 

ex-af^kr the ^ er* ^ 

fr - aft s fe f B e d and states-may-be d^^^ 

8ag»-m*e4^tts-4~^^ 

p lural ity of r e cord s to^ Additionally; 
other c olu mn entries may be used in conjunction with, or in piaee of those shown in Fig 5. For 
e xampl e , it may he desirabl e to associat e the hash value, or alternativ e ly, th e contents of TP with 
each-record It may ako^ e- deakafe ie -toh^ 

e ae - oum e r e d^r r aU e fflat^ AacM* 

aiay-b e -tksirable to have still other data structures or records associated with source path 
se-liatieas-that-hftv e b e en g e n e rat e d iu r e spons e to d e t e et e d TPs - ; 

One pa .v. k is a sell i \ ran-4lt ted computer 

program, soeh as a virus or worm, that is designed to annoy network users, deny network service 
by ox t-t loading the netxxo s i g tCMe g,. by delen- files) \ virus is a 

^ and propagating 
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itself when that program is executed posssh h dc-tu;- m-/ hk- or wiping out memory devices. A 
worm, on the other hand, is a program that can im pies jfj t >*d ,pj id tself throug h 
connected systems, using up resources in affected computers or causing other damage. 

In recent, years, viruses and worms have caused major network performance degradations and 
wasted in; I; ions . f i i in- hours in clean-up operations jncorffo ai u anes all oyer the 
world. Famous examples include the "Melt-oft" t-matl \uus and k : ( - de kid" worm. 

Various defenses, such as e-mail filters, an ti- virus programs, and firewall meck -m m ; have 
Ixen emp'o - < id worms but with limited su^ . , Mien u-iy on 

computer-based recognition of known viruses and worms or block a specific instance of a 
propagation mechanism (i.e.. block e-mail transfers of Visual Basic Script f.vbs) attachments). 
New yiro^s andwo.™^ 

s ■ • . Here is a need for new defenses to thwart the attack of known and yet-to-be- 
developed viruses and worms. T here is also a need to trace the path taken by a vims or worm 

SUMMARY OF THE INVENTION 

with the ptc&ent nvu'tvuon addtess these and other needs by 
viding i\ ] lefense dnit attacks mak us pat kj uch a it id trn i "> ii < 

common denominator (i.e.. the need to transfer a copy of their code over a network to multiple 
i.i; y systems re tin < < t i ih - \ r each en thongS ej Qh 

messa ge containin g the virus or worm may vary ). The systems and meth ods also provide the 
ability to trace the path ot pro} tg iti a back to the poms of origin of the malicious packet (i.e., 
the pkie at J ' ij w ni alls nncaed nt<> the network). 

„ „ *j i ition as c v> v nd i ! % ibedj 

dett he transmits it j £ malicious packets. The system i c tcke 
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at 1 > u i iies has! - - 1 espondmg to each of the packets. 1 he s\ st , m max men, compare 

! . h n 1 ! _Y2 > IL. r J ! I 1 ! < ^ i 1 em ma 

determine that one of the packets is a potent ial k n i , u vet u hen the generated hash value 

respond { the one j e latcl i of the ha h orresp _ ! < _ 1 o ie_ 4 i ,(> l l I 

packets and.the.one.prio 
packet. 



According to another implementation consistent with the p resent invention, a s ystem lor 
ham penny. |ran , m > sign of a potentially malicious packet is disclosed. The system includes 
■ - - ^ 'ng a packet , nu .v I s .-r ating one or more hash values from the packet; 

means for comparing the generated one or more hash values to hash values corresponding to 
prior packets: means for determining that the packet is a potentially malicious packet when the 
gmexated.OM.or.inoie.hasJt.v^ 

. a -.' . - me of the prior packets and the at least one of the poor packets was receiv ed withi n a 
predetermined amount of time of the packet; and means for hampering transmission of the packet 
when the packet is determined to be a potentially maiicioas packet. 

According to vet another implementation consistent with the present invention, a method for 
detecting a path taken by a potentially malicious packet is disclosed. The method includes 
storing hash values corresponding to received packets; receiving a message identifying a 
poty il nalici >aeket; generating hash vah f'roi se potentially malicious j: ej 
comparing the generated hash values to the stored hash values; and determining that the 
potentially mala to n ! i . or more of the generated 

hash values match the stored hash values. 

BRIEF DESCRIPTION OF THE DRAWINGS 

The accompanying drawings, which are incorporated in and constitute a part of this 
specification, illustrate th e in vention and, together with the description, explain the invention. In 
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the drawing s. 

FIG, i u U u iioj t m ) i > . ii tern md met < t nMstent w ith the present 
invention may be implemented; 

FIG. 2^ is.M.MCTiplMy.diagmm M.asecu? H% sestet of HG I plem 
consistent with the principles of the invention; 

FIG, 3 is an exemplary diagram of packet detection logic according to an implementation 
consistent with the principles of the invention: 

FIGS. 4 A and 4fi illustrate two possible data structures stored wi thin the hash memory of FIG. 3 

FIG. 5 is a flowchart of exemplary processing for detectin g and ot pu v ( i u tission of a 

malicious packet., such as a virus or worm, according to an implementation consistent with the 
principles of the invention; 

FiG, 6 is a flowchart of exemplary processing for identifying the path taken through a network 
by a maliciou s packet, such as a vims or w orm, accordin g to an implementation consistent with 
the principles of the invention; and 

FIG. 7 is a H .it j ernpia * a ing j det ammmg whether a malicious packet, such 
as a virus or worm, has been observed according to an implementation consistent with the 
principles of the invention. 

DETAILED DESCRIPTION 



Hie following detailed descnpl \ it nti 1 • 'i the a^uiinp,ni\ ing dum s n u -> 1 he 
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same reference luunbess ..in .ditTeiut d ngs may " ! t M s i_ » i e nents Also, 
the following dcu.f , coo- not limit the invention. Instead, the scope of the invention 

is defined by the appended claims and equivalents. 

Sy&ems andm^ 

prevent th e transmission < ■■; >;i t >hc}Ous packets and trace the propagation of the malicious packets 
through a netumk Mahuo . ( u , «i, us^d hetetn tn n include viruses, worms, and other 
types of data with duplicated content, such as illegal mass e-mail (e.g., spam), that are repeatedly 
transmitted through a network. 

According to implementations consistent with the present invention, the content of a packet may 
be hashed 10 trace the packet through a network, in other implementations, the header of a packet, 
may be hashed. In yet other implementations, some combi nation of the content and the header of 
a packet may be hashed. 

EXEMPLARY SYSTEM FOR PERFORMING METHOD 

[0054] FIG. 6 illustrates a system 620 comprising a general-purpose computer that can be 

configured to practice disclosed embodiments. System 620 executes machine-readable code to 
perform the methods heretofore disclosed and includes a processor 602 CONFIGURATIQ N 

FIG, i is a diaiiram of an exempian \ stem 100 in whs J? v i u j»u d i ^i-,tent mih 

ej i tion nurv be implemented Sweir 100 mcludes .mttmomoiis systems (ASs) 
1 10-140 connected to pub c PN) 150. Connections made in _ in 100 may be via 

wjre4..wireje.ss x and^pr o^ 1 shows four ; autonomous 

systems connected to a single public network, there can be more or fewer systems and networks 
in othei implemenuiv ^ ( o intent with the principles of the invention. 

Public network 150 may include a collection of network devices, such as routers (R1-R5) or 
sw itches, tha' I ansier data be! \ een autonomous s\ stems, such as < no mo us s\ l - ms 1 10-140. 
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In . imj me ntation consi rem vithjh jy an • > mtion, public smo' l- ! ~'> ^ s the form of 
the Internet, an intranet, a public telep hone network, a wide area network (WAN), or the like. 

i 1 11 ! Li l> 11 <1 „ _ !i H 

dpjnain.can..exch ; ange routm 

area tie tu mi (LA v a % ^ a fflefiOpoSitan area nety, or 1- ,>l LANfj Vs.au! to nous system 
mav include computers or other types of communication dcs uv ^ (i fore ' t° ^ "hosts") that 
connect to public network 1 50 via an intruder detection system (IPS), a firewall, one or more 
border routers, or a combination of these devices. 

Autonomous system 1 10, for example, includes hosts (H) 111-113 connected in a LAN 
configuration. Hosts 111-113 connect to public network 150 via an intruder detection system 
M4 Intruder du, , an I mo s im de i aim netualls n .nlable deuce thai uses ruk- 

based aigomhms to deter t , given pattern t etvs >sk tra i is abnormal The general 
premise used by an intruder detection system is that malicious network traffic will, have a 
different pattern from norma!, or legitimate., network traffic. 

Using a rule set, intruder detection system 1 14 monitors inbound traffic to autonomous system 
1 10 V\ hi' t i it mi system 114 may take 

remedial action, or it cay;. instruct a border router or firewall to modify operation to address the 
mat om^ '' i .o x pattern foi example, ion o , rn iay inchid h J>i" ig the link carrying 
the malictoua ..traffic., discarding packets coming from a particular source address, or discarding 
packets addressed to a particular destination. 

A mono moo- . . JtfTejent deuces from ataonom. - , 1 10. These devices 

aid autonomous system 120 in identifying and/or preventing the transmission of potentially 
malicious j\ > n autonomous system 1.20 and tracing the propagation of the potentially 
inaiiciou> ,' I i i d . pos- -\,pam>. network 150. While 

FIG. I shows only autonomous system 120 as containing these devices, other autonomous 
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§J „ 1 >< I |dy . j_ nous system i HX may inch i i 

Autonomous system 1 20 includes hosts (HO I2i-l23, intruder detection ^ . md security 

■ '■'■ ' j ...V'..;. >i nco .v ; ■ j ij ;s vork 1 SO via a co]J :ction of devices, such as security 
routers jSRy.-S^ 

communicationdeyic^ 1 . W . -o : t fl u it rat ion J ntmder detection 

s ystem 124 may be configured similar to intruder detection system 1 14. 

Security server 125 may include a device, such as a general-purpose computer or a server, that 
performs source path identification when a malicious packet is detected by intruder detection 
system 124 or a security router 126-129. While security server 125 and intruder detection system 
i 24 are shown as separate devices in FIG. I , they can be combined into a single unit performing 
both intrusion detection and source path identification in other implementations consistent with 
the present invention. 

FIG. 2 is an exemplary diagram of security sever 125 according to an implementation consistent 
with the principles of the invention. While one possible configuration of security server 125 is 
illustrated in FIG. 2. other configurations are possible. 

Security server 125 may include a processor 202, main memory [[604]]204, read only memory 
(ROM) [[606JJ206, storage device [[60SJJ208, bus [[610JJ2J0, display l[6i2j|212, keyboard 
[[614|]214, cursor control I |Oi6H2 10, and communication interface [[618.]]2Jj Processot 
[[602JJ202 may [[be'j'j include any type of conventional processing device that interprets and 
executes instructions. 

Main memory f {"60411.204 may ffbell include a random access memory (RAM) or a similar type 
of dynamic storage device. Main memory #04 -- $ t of- e- $ 204 may store information and. instructions 
to be executed by processor [[602,]] 202. Main mernon la i! . be used lot storing 

temporary variables or other intermediate information during execution of instructions by 
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processor [[602. JJ202. ROM 606 stor es 206 may store static information and instructions for use 
by preeessoiiiuT j]202. it cv-'ill he appreciated that ROM [[606)] 206 may be replaced with some 
other type of static storage device. Storage deviee[[ 6081)208. also referred to as a data storage 
device, may include am type of m gneti< i >ptica n ia u 1 the rconesf moling interfaces 
and operational hardware. Storage device 608" St fc>r e s 20.8.nay.$torc information and instructions 
for use by processor [ [602. j | 202. 

Bus 610 incfudes 210 may include a set of hardware lines {conductors, optical fibers, or the like) 
that allow for data transfer among the components of system [[620.11 security server ! 25 , D isplay 
device IT6 121 12 12 may be a cathode ray tube (CRT), liquid crystal display (LCD) or the like, for 
displaying information in an operator or machine-readable form. Keyboard [[614]]2J4 and 
cursor control [[616 1] 2 16 may allow the operator to interact with system [[620. I lseeuritv server 
125. Cursor control ff6 161 12 16 may ffbel lindude. for example, a mouse. In an alternative 
configuration, keyboard [{614)1214 and cursor control [[616JJ216 can be replaced with a 
microphone and voice recognition [ [means] j m echan i s ms to enable an operator or machine to 
interact with system j i 620. | jsecurttv server 125. 

Communication interface [[618}]218 enables svst e ro 620 $ecuritv server 125 to communicate 
with other devices/systems via any communications medium. For example, communication 
interlace [[61811218 may [[be]] in cl u de a modem, an Ethernet interface to a LAN, an interface to 
the Internet, a printer interface, etc Alternatively, communication interface [[61 8jj2J8 can 
[[belj inclnde any other type of interface that enables communication between system 

Osecri ty_ 125 and other devices, systems, or networks. Communication interface 
[1618112 1 8 can be used in lieu of keyboard 1 [614112 14 and cursor control [[616112 16 to facilitate 
operator or machine remote control and communication with security server 125. 



As will be described in deta 1 be > > tww-^ '^ e 25 ma) fHH4d tf-- ^$4"i>p e fating 

xvithki-AS I- with--te-abMrty te-- p erform source path isolation teen . i m d ot prevention 
mea y es foi a g?-*tm-4-P- SM - mai \ J ' f it . d mous syum 120. Security 
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I ! v, 12 J rmo -i- 



jMIM from IDS 1 and a 



- — H-j i : in response 



to processor j [60 1 202 executing sequences of instructions contained in, for example, memory 
[[604. 1 120 I Such instructions may be read into memory [[604]]204 from another computer- 
readable medium, such as storage i ce [[60S 20 t m another device coupled to bus 
[.[6iO]]2jO or coupled via communication interface tH8: - B^eeirtie« - ^ 

receiving a targ e t packet (st e p 402), r e c e iving r e plies from qu e ri e d rout e rs (step -108). and 
b ui lding a t r a ce of the path trav e led bv TP (st e p 1 1 6). 218. 



Alternatively, hard[[-]]wired circuitry may be used in place of or in combination with software 
instructions to implement, the functions of SS I- ^hu s r4h e- di s e : bs e d e mbodim e nt s - of SS4 a?e not 

example, the functionality may be implemented in an application specific integrated circuit 
(ASIC), a field-programmable gate array (FPGA), or the like, either alone or in combination with 
other devices to provide desired functionality . 



CONCLUSION 

fa-e-itkat e -souree path isolation of .malicious packets in a network. While the preceding disclosure 
is direct e d to an Int e rn e t Protocol (IP) network, disclos e d e mbodiments can be us e d in 



{AXM)% synchronerts opt i eal:-u e iw6i-k (SQ^E^ : > r an:d th e like- fa add i tion; disclos e d 
e mbodiments may be adapted to operate within different kyers-^f-a-Hetwefk-^fe-fts-fefr-^ata-liak- 



m$$\ Furt 



a th e dir . 



hods for impl e menting a 



ce path isolation 



n - gje-prr 



r-hardwa 



e xampfe r s < >ftwaf e 4e^^^ 
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programming language such as C C ■ . LISP, or the like. Alternatively, software may he 
i n3pl e m e n ie c44« - ^4gw^ 

where-f- e q»r&fti e Rts-stteli"ftS"Spe e d mu3t b e m e t Furthermore, SS may b e -eonf i gtifed-te 
eenimwiieate-w^^ 

te4m-v e --S S --m a^ 
»^:He - H f % - ne^ 

by e mploying .multip l e processors or by having various compon e nts physically separat e d and 

uaiftg4ie"T^v^rk - €af^ - iag - date - tmffH - " ft mong the SRs. For example, using a dedicated network 
ftiay-previd e... ^ 

tkat-ene-e? mor e iink s- tfr - aft - SR- ifr- tUg a & te dv 

■| 00l > 7| Q t te ry mea sage<H*^Ms)-a4*d-re^ 

p»u kft type ln-*«any4n s ta»e es ^ 

readily known protocols; however, customized protocols and messag e types can be used. For 
exampl e , it may be desirabl e to employ a smart packet for sending QMs to participating rout e rs 
A-^nartpa^ e t^on e -tto^ 
ak»g - M4fe - maefeft e H^adfi& e 4nsm^ ^ ^ 

madi-fy-its operation in response to the contents of the executable instnietions contained therein. 
Smart pack e ts facilitat e rapid respons e s to n e twork intrusiono by allowing an SR to modi f y 
ep e r a tk^ s m * n^ 

{0058} Fnrthe^ofe r the-4isele^ 

wtnrifckb e-ia *eet^ ^ ^ ^ 

aneth e fi or- a pack e t was spht fe As can be seen- maay 

invention. 

44m^feM%4fa e -y^ent" e ^ 
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foregoing description, and all changes within the moaning and range of equivalency of the claims 



1 \ U it 1 t _ i I i 1 • 1 

may, deject and/or grey m 

fie at fin _ s \euunN louters 127-129 .may include border un:t v ».? j'<>; i ssonomous 
system 120 becaus e t hese routers include connections ic public network 150. As a result, 
security routers 127-129 may include routing tables .for rooters oi t ss -icm 120. 

MO ms an txcmplan du i o i ul:c; detei ion I * > i 3U0 according to an implementation 

consistent with the principles of the invention. Packet detection logic 300 may be implemented 
within a device that taps one or more bidirectional links of a router, such as security routers 1.26- 
129,. In.another.i.m 

such as security routers 126-129. In the discussion that follows, it may be assumed that packet 
i ' gk H10 is implemented within a security router. 

Packet detection logic 300 may include hash processor 310 and hash memory 320. Hash 
processor 310 may include a conventional processor, an ASIC, a FPGA. or a combination of 
these that . i e J packet and records the packet 

rej i - notations in hash memory 320. 

A packet representation will likely not, be a copy of the entire packet but rather it will include a 

u ' i i lut j i the pad; jecai nodern routers 

can pass gigabits of data per second, storing complete packets is not practical because memories 
would have to be prohibitively large. By contrast., storing a value representative of the contents 
of a packet uses memory in a much more efficient manner. By way of example, if incoming 
packets ran^e in . '"torn 236 bits to 1000 bits, a 0 ced v> s-ith number may be computed across 

fixed ed blocks making u\: he on tern (or pavload) of a pad s t nanner that alh v§ ic 

entire packet to be idemified. To further illustrate the use of representations, a 32-bit hash value. 

26 
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u.t digest ma\ ho lumoukd u i;\cd--:;/ed bl 1 < ^ i ckj her he -. h value may 

xned j n 0 n iyj used as an index, itn_ inn hash mei t 

Using the hash value, or an index d. ■ Ukl esuil ■ - . m .ssc of hash memorx 320 

while still allowing the content of each packet passing through packet detection Logic 300 to be 
identified. 

Systems and methods consistent v> tth d ^ , s < aiiu-n ma\ use m . o g heme that 
records information about each packet in a space-efficie nt fashion, that can definitively 
determine if a packet has not been observed, and that can respond positively ( i.e., in a. predictable 
way ) when a p acket h.. . . J , Mthough vy stems and method onsis • vit.h tfu 
present invention can use virtually any technique for deriving representations of packets, for 
brevity, the remai g disci < t will use ha- i , >f packet; 

haying . passed through a panicipating fotiteL 

Mash processor 3 1 0 may determine a hash vaiue over successive, fixed-sized blocks in the 
payload field (i.e.., the contents) of an observed packet. For example, hash processor 3 10 may 
iMtJl^aeh icct \e o4-byte b kj< n j the header field. As described in more detail 
below, hash processor 310 may use the hash results of the hash operation to recognize duplicate 

m es of pa content and raise a warning if it detects packets with replicated content 
within a short period of time. Hash process or 310 may al so use the hash results for tracin g the 
path of a mat it oi packet thr< ugh ie network. 

The hash value may be determined by taking an input block of data, such as a 0 4 -byte block of a 
packet, and processing it to obtain a numerical value that represents the given input data- 
Suitable hash ftmcti ] are n idi [ lov* n in the ait and will not be discussed in detail herein. 
Examples of hash functions inc lude the C v'. 1' ■; m i > ' k ' ZRi ') md \ Dig est 5 

(MPS). 

1 l i. uj nig hash vaku i 1 \ i t m ! _ )r hash digest ifi t 1 g 'i 
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value 1 he hash yah t u 1 1 he data o\ cr v- hii li s t \\ as t omputed t ot 

example, incoming packets icuU ha\i h\n | uej < ^ i ' dieir content. 

i i h val i j r. i niifvin^ nj h oc ofd \ I 

wm. cpmpjtted.tM 

l f v f ! _i oj i >k sju i I n , i 1 llision t acceptable a f sen » 

should provide a good distribution of values over a variety of data inputs in order to prevent 
these collisions. Because collisions occur when different input blocks result in the same hash 
value, an ambiguity may arise when attempting to associate a result with a particular input. 

Hash processor 310 may store a representation of each packet it observes in hash memory 320. 
Hash processor 3 1 0 may store the actual hash values as the pai k \ it may use 

other icdim 

other information associated therewith. A technique tot pi, m. mg tora _l [i f anurK m,\\ 

use a bit array or Bloom filters for storing hash values. 

Rather than storing the actual hash value, which can typically be on the order of 32 bits or more 
in length., hash processor 310 may use the hash value as an index for addressing a bit array 
within hash memory' 320. In other words, when hash processor 310 generates a hash value for a 
fixed-sized block of a packet, the hash va i asj sc addtess location into the bit array. At 

t ddj ponding to the hash value. < t 1 < i . r\ . > 1 ajjj i > 

location thus indicating thai a particular hash value, and hence a particular data packet content. 

ej v 'i 1 isl ssi ! For exai pie ing a 32 ha i rth 

order of 4.3 billion possible index values into the bit array. Storing one bit per fixed-sized block 
rather than storing the block itself, which can be 521 bits long, produces a compression factor of 
1:512. While bit arrays are described by way of example., it will be obvious to those skilled in the 
relevant art, that other storage techniques may be employed with out departing from the spirit of 
th e invention. 
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( h u ;iffle, hash memory *20 roa\ fill up d the possibility of o mv an < tmgjndex 

alue inci j foverwri ng tn index vai m v_b edj j. h b art y 

periodically flashed to other storage media, such as a magnetic disk drive, optical media, solid 
e dr i v, i _ laf ; ths may n 1 4\ m m j j • J 

cycle can be reduced h\ ^ mpjmm a subset mg through 

the unite t VUidcUm mpnx \ u-dac\ flushing vib U murages the powbdm thatataig ct 
packet may be missed (i.e., a hash value is not compute d over a portion of it). 

HPS j A. and IB us] p aa;a s u.mu-- i \tt may be stored within hash memory 

320 in impiemenuu on s eon t- tent w ul the pmv spies of jhe Pi^pti^^^^ in FIG. 4A. 

hash memots 320 may include indicator fields 412 and counter fields 414 addressable by 
corresponds^ 
generated b\ hash p a 

! « ^hc ttpr field 412 may store one or more bits that indicate whether a packet block with the 
corresponding hash value has been observed by hash processor 3 SO. Counter field 412 may 
record the number of occurrences of packet blocks with the corresponding hash value. Counter 
field 412 may periodically decrement its count tor flushing purposes. 

mory 3 re add i ling to a pat. ket 

For example, hash memory 320 may include link idem dim tiPt fields > > , fields 424 

I I \l 'V. 12 may s \ n \ n i fi n regard i g i parti alas Imk ip_oj Inch Ik pad 
arrived at packet detection logic 300. Status field 424 may store information to aid in monitoring 
th -•; ttus of packet detec t- n logic 300 oi the hnj .dentitied by link ID field 422. 

in an alternate implement' < pj pjj e ivention, hash memory 320 

ina > be ptc p . i ■ di^ 1 o rtahcous packets, c-itch as 

known viru md v i 1 net y 320 may re these hash vali >epai uei o +l 
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hash values of observed pac' it- i n t i i ^ -: \ < hash processoi MO mav .compare a hash va.l ue for a 
rec e i ved packet to not only the hash values of previously observed packets, bat also to hash 
values of koe wri ma 1 id ous packets , 

Myet.MPthetjm^ 

may be preprogrammed to store source addresses of km _ < » > ! 2 > ue duplicate 1 
content, such as packets from a multicast server, a popular page on a web server, an output from 
a mailing h-: 'V.pi Jet" server, or the like. In this case, hash p rocess or 310 may compare the 
source address for a received packet to the source addresses of known sources of legi timate 
duplicated content, 

EXEMPLARY PROCESSING FOR MALICIOUS PACKET DETECTION 

FIG i is a flowchart of exenjj 5 . gg and oj pu vei i ssipa. of a 

us packet , such as a virus or worm, according to an implementation consistent with the 
principles of the invention. The processing of fid 5 may be performed by packet detection logic 
300 within a tap device, a security router, such as security router 1 26, or other devices 
configured to detect anchor prevent transmission of malicious packets. In other implementations, 
one or more of the described acts may be performed by other systems or devices within system 
100. 

Processing may begin when packet detection logic 300 receives, or otherwise observes, a packet 
( act >05 gsi proc or i M ay get rate on or more hash values b\ h d s.j access 
fixed-sized blocks from the packet's payload field ( act 510). Hash processor 310 may use a 
conventional U ch i pie to p erform the hashing operation. 

Hash processor 310 may optional!) n-r \ 1 I ms? to lush \aiues of 

c yj ijxv _ jt I i on n vithi lash mem Y2Q i < _ v ±' 1 i ,V ™1 J i ' 01 O 1 ' ' 

may be pre; Luamn jj t h\ it e j < i * g to ! i , « t ri md/o nm 
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one or mose < f the generated hash ^ » i u o > . mate h one o f the hash \ , > t - ■ ?s oi knj \ n \ m uses and/or 
worms, hash processor 310 ma > ta K ... actions ( , " ■ ,"!0 and 525). The ; e -. , tction 
may inc lude raisinii a wa; ni in: for a human operator, delay ing transmission of the packet, 
re< i iming human c - - ^ r li i union before tr ansmissioi of the pa ckei , droj iping t je packet ant ! 
possibly other.packeta.oii 

send uj. a 1 i ission I ou o ( I ( Pi dos^. menage to ei i \ pK\ustmg, 

complete transmission of he \ ket eacrm the hul- on ^ Inch the packet was received. 

and/or corrupting the packet content in a way likely to render any code contained therein inert 
(and likely to cause the receiver to drop the packet). 

If the ge m • f v alue( s ) do not matc h any of the hash values of known viruses and/or 

wotms, oi if such a u'lDj' - . is ■\ >t performed, hash processor 310 may optionally 

. - guimaie source of d rj led packet content (i e.. a legitimate "replicat or" > <acr. 53 Q) . l ; or 
example, hash processor 3 10 may maintain a list of legitimate replicators in hash memory 320 
and check the source address of the packet with the add' s < j tej rs on the list. 

If the packet's source address ma tches the address of one of t he legiti mate replicators, then hash 
processor 310 may end processing of the packet. For example, processing may return to act 505 
and await receipt of the next packet. 

it i < )v 3 \ 0 it lii < lether am packets with 1 < ) 

valuefs) have been received (act 535). For example, hash processor 3 10 may use each of the 

generated has! ue(s tdd rj ush me mo 0. Mash | « 10 may then 

examine indicator field 412 (FIG. 4) at each address to determine w hether the one or more bits 
stored therei n indicate that a prior packet has been received. 

If there v> eic no prior pa^A. t : u-a). then hash processoi 3 10 may 

•ecord g. ,! t value 2 m tash n ion 520 (act 540). example, hash \ > 

310 may set the one or more bits stored in indicator field 412. corresponding to each of the 
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generated hash values, to ..indicate thai the i i * y on bjig 4 ad et v\ i K>b „ t • cd by .bash ..processor 
310- Process i n g ma v then return to act 50" u> aw a.: receif ■- ■ ■i'thc next packet. 

1 i f 1 le tou h; j i , v i ' 1 \J tii me I t 

M§kpmggg.§^3.1.0.fOJ> - - her.rtH ^ < < HS) 1 fash 

proi essor ? 1 0 max use a set oi i i > to determine whethct to id' n ifs ] > i 1 e is potentially 
malicious. For example, die rules might specify that more thaiUmies.(where.tunes > 1 ) packets 
with the same bash vaiue have to be observed by hash p rocessor 310 before the packc ■ ■ aj 
identified as potentially malicious. The rules might also specify that these packets have to ..have 
been observed by hash processor 310 within a specified period of time of one another. The 

1 for the latter rule is that, in the case of malicious packets, such as viruses and worms, 
muitipie pack c; - ; sli li kely pass through packet detection logic 300 withn i hoi p enod of ti me. 

A packet may contain multiple hash bloiU thai pa;., <^ n ohb h bloc.l |ss i<i_L ilki 01 
packets. For example, a packet thai includes multiple hash blocks may have somewhere between 
one and all of its hashed content blocks match hash blocks associated with prior packets. The 
rules might specify the number of blocks and/or the number and/or length of sequences of blocks 
that need to match before hash processor 310 identifies the packet as potentially malicious. 

When hash processor 310 determines that the packet is not malicious (e.g., not a worm or virus), 
>uch a ej i_ 1 - _ in j < < j kets with th tme ha It s al f than a 
predetermined number of the packet blocks with the same hash values are observed or when the 
packets are ol i ck he specified nod in has j oces i i > ma; i th 

generated hash value(s) in hash memory 320 (act 540). For exampl e, hash processor 31 0 may set 
the one or more bits stored in indicator field 412, corresponding to each of the generated hash 
values, to indicate that the corresponding; packet, was observed by hash processor 310, 
- mav then return to act 505 to await receipt of the next packet. 

When hash ptoiQsyii ^HUk -\-» m > that the ] i ket may be malicious dun hash processor 310 
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mayiake ren '-.''jal ;u:;i<ms (act 550). In some cases, it may not be possible to 

he ) <et is a n na sbc i [bet is some prob ty that th > t f n L2i 

a legitimate replica ti on. As a result, hash processor 3 10 may detennine the probability of the 
packet, actually being malicious h,t J ■ i if it) i t _ s ■ k,' I u t ■> ,cs-,oi 3 it) 

The remedial actions may include raising a warning fbr.a » s i - 'ic packet for 

human analysis, dropping the packet, mnuptmg uV ■ ids i -ntciu m t wax likely to render any 
code contained therein inert (and likely to cause the rec eiver to drop the pack et), delaying 
transmission of the packet, requiring human examination before transmission of the packet, 
(hopping otliL-i p,K;s ■ . . ■ ..■ong bom the same IP addict as \\u paiL i . iCl'clt^e 

message to the sender thereby pre venting complete transmission of the packet, and/or 
disconnecting the link on winch the paCk . < " si actions, such as 

droppingorcormptingthenae^ 

malicious ; b ue thre ! I h:s may greatly slow the spread rale of a virus or worm 

without completely stopping legitimate traffic that happened to match a suspect profile. 

EXEMPLARY PROCESSING FOR SOURCE PAT H IDENTIFICATION 

FIG, 6 is a flowchart of exemplary processing for identifying the path taken through a network 
b y a malicious packet, such as a virus or worm, according to an implementation consistent with 

PJ \ i in. The pro g of Fli ia\ formed by a untv server, 

such as security server 125, or other devices configured to trace the paths taken by malicious 
packets. In other imple mentations, one or more of the described acts may be performed by other 
systems or devices within system 100. 

Processing may begin w ith nrtu^k i -■ , ... m -a stem 124 detecting a malicious packet. Intruder 

1 e -naliueus packet For 

< limp] "J it y fej del ;ctio.n 1 i 4jnay u . rulc-l sed j -onthn f . d .jif y a pad ii 

u t of a iprmal nel I i i s n a malicious packet is dc inn 
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I m v i 1 ( ! _ ir s i p > I ! c u i d 

within autono mous system 120. The notit iat on ma\ uul t k the mai tsj 1 ot portions 
thereof along with other information useful for seem m se; \ o ; i e path 

identificat l j arur. < , >f in format ioi thj intrud dete LPJ1J i i ma\ send t< se uritv 

server. 1,25 along with t] t inai.it i us pat ket i nclude time-of-arrival information, encapsulation 
■ilk ioi yo l ml ' s Mi iik old ' i,! * 

After .receiving the malicious packet, security server 12 5 may g enerate a quer y that ineiudes the 

SS packet and any additional information desirable for facilitating communication with 
participatin g rouk i _ c " and '-It') f vnnpL-s 

additional information that may be included in the query are, but are not limited to, destination 
addresses for participating routers, passwords required for querying a rooter, encryption keying 

mformatio^ 

Securit y server 125 nm iu n send the query to security router; s) located one hop away (act 
615) The security router(s) may analyze the query to > e i etliei the> have seen the 

malicious p acket. To make this determination., the security router (s) may use processing similar 
to that described below with regard to FIG. 7. 

After processing the qik \ t } may send a response to security server. The 

res ponse may indicate that the security router has seen the malicious packet, or alternatively, that 

i t < i 1 i npo tan to obse; ti ^ ^ is we ire not eqt \ht kt 4 
certainty. If a security router does not have a hash matching the malicious packet, the secunty 
routet ha> d< i ■ i i elv t en the malicious ickei If the : itei laj • tatching hash, 

however,. then the security router has seen the malicious packet or a packet that has the same 
hash \alue 1 ^mus packet. When two different packets, having different contents, hash 

to the same value it is referred to as a hash collis ion, 

Phe security i la i j piery t outers or d ^ t _j hk b v \ 

i i H iK' 1 ! <a _ U ity ro ) may foi rd the query to the s 1 y 
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that are located two imps a\ „nn security sen er, v\ Iik > n i\ ft rw rrd rhj cur ^ to security 
routeri h\ , ' i ■ :nxa>. and so on. This forwarding may continue to include routers or 

devices within public nemoth 1*0 st these touteis > 1 t ice i m b - 1 tt i^med to participate 

i cui iftl J ihu 1 i * * I 1} ,j ; k an. \ rc 

OAtf.approadi.becau$e 

an outward-in approach may be used. 

Security server 125 receives the responses from the security route rs indicating whether the 

security routers have seen the mal icious packet (acts 620 and 625), If a respond nd cat tha 

the security router has seen the trials .\kk.\ -Vvin ■!> mi 1 > ^ t spouse and 

identification (IP) information for the respective security router with active path data (act 630). 

Alternatively, if the [ gj^jo me indicates that the security router has not seen the malicious packet. 

securir^^ 

inactive path data (act 635). 

Security server 125 uses the active and inactive path data to build a trace of the potential paths 
taken by t he malicious packet as it traveled, or propagated, across the network ( act 640) . Security 
server 125 may continue to build the trace until it receives all the responses from the security 
routers (acts 640 and 645). Security server 125 may attempt to build a trace with each received 
response to d etermine the in gress point for the malicious packet. The ing ress point may identify 

i i , > t > kt eiUj _< n non y y, tciu 120. public network 1 50, or another 
autonomous system. 

As security server 125 attempts to build a trace of the path taken by the malicious packet, several 
paths may c m ■ ts result of hash collisions occurring in the participating rooters. When hash 
collisions occur, they act as false positives in the sense that security server 125 interprets the 
collision as an indication that the r,r-h; i mj oacj t h i been ohsej . ed Fortunately, the 
occurrences of hash collisions can be mitigated. One mechanism for reducing hash collisions is 
to compute lame hash values over the packets since the chances of collisions rise as the number 
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ii v ! e ha i t ! I her mechan educe fa) me- 

u h u on ions is for each sect ityj iter i u route l >9) t nj 1 \ n 

its uv>n unique ' i v the same collision will not occur in other security 

routers. 

A further mechanism for reduc ing ■. is to control the i he hash i biesjn the 

memories of participating routers. That is. rather than computing a single hash value and setting 
a, single bit for an observed packet a plural ity of hash v alues may be comput ed for each 
observed packet using several unique hash functions. This produces a con , m- md > i >g number of 
uni que hash \ slues r eacl ■ ■ - served packet. While this approach fills the hash table at a faster 
rate, the reduction in the number of hash collisions makes the tradeoff worthwhile in many 
instances. For example. Bloom Filters may be used to compute multiple hash values over a given 
packelin.orderto 
paths. 

When securir> f server 125 has determined an ingress point for the malicious packet, it may notify 
intruder detection system 124 that the ingress point for the malicious packet has been determined 
fact 650). Security server 125 may also take remedial actions (act 655). Often it will be desirable 
to have the participating router closest to the ingress point close off 1 he ingress path used by the 
malicious pac ket, As such, security server 125 ma y send a message to the respective 
+ 1 -i router mstrtK cl t ff die tngn. > tth using kn hi t 

Security server 125 may also archive copies of solum s &< eived and 

the like either locally or remotely. Furthermore, security server 125 ma y communicate 
information about source path identification attempts to devices at remote locations coupled to a 
network. For examp le, security server J . 2^' . may communi cate information to a network 
operations center, a redundant security server, or to a data analysis facility for post processing. 

EXEMPLARY PkUCi SSSV, f OR Df 1 ! I MINJ \M1ETI1FR A MALICIOUS PACKET 
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HAS BEEN OBSERVED 

FIG. 7 is a flowchart of exemplary processing for determining whether a -malicious packet, such 

L • L ! __ ! J_. _ en ol d cord gj i| i > 's t t ___(_ ; u j_ _h 

principiej.of the.inyentio 

300 implemerued witMn^a 126., or by other devices 

configured to Uace the paths taken in nuiu , u v L et- In othc s implementations, one or more 
of the described acts may be performed by other sy stems or device ^vhtmy systern .100. 

Processing i - u\ K -^in w Ivi; .H it;.. u -u\^i i J'» r e; e;y o/ : a .jty n U\ = n > ^.oin.v sy: \ cr 125 (act 
705). As described above, the query may include a TTL field. A TTL field may be employed 
because it provides an efficient, mechan gj poi ds only to 

f^eyanL.Qr.to 

* >. rk i iy and panic s <j routers i Ljj 

with expired TTL fields may be discarded. 

If the quer y includes a TTL field, security router 1 26 may determine if t he III, field in the q uery 
has expired (act 710), if the TIL field has expired, security router 126 may discard the query 
(act 71 5). if the TTL field has not expired, security router 126 may hash the malicious packet 

h m the query at each possible starti n g offset within a block (act 720). Sec urity 
route? 1 U . ■ ite multiple hash v ius code body < or m may 

a ppear at a m « I --" set within the packet that carries it (e.g., each copy may have an e-mail 
header attached that differs in length for each co py). 

Security router 126 may then determine whether any of the generated hash values match one of 
the recorded hash values in hash memory 320 (act 725 ). Sec urity router 126 may use each of the 
generated h a dues a c . Jo i ^ ,'ito hash memory 320. At each of the addresses, security 

„<<-„_> '6 may del th vvhethe; od c rf ! 1 i 2 " l 1 V that _ rjm ket with I i ■ 

'. tsh »!" v 1 i sen observci ! n >f the generated hash val match a has! lue in hash 
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memory 320, security router 126 does not forward the qu^ 
n egative response to securm ct 735) . 

1 mc u___l lL^ n » * i- hash \ ■ m hji x. ^ _» 

security, rom^^ 

the direction from which the query was received (act 740). Security roim 2 • - may also send a 
positive respo ns e to security server 125, indicating that the packet >, been - i < m ~4M 
The response may include the address of security router 126 and i nformation about observed 
packets that have passed through security router 1.26. 

CONCLUSION 

Systems and. methods w 

prevent, transmission of malicious packets, such as viruses and worms, and trace the propagation 
- pav kets through a network. 

The foregoing description of preferred embodiments of the present invention provides 
illustration and description, but is not intended to be exhaustive or to limit the invention to the 
precise form disclosed. Modifications and variations are possible in light of the above teachings 
on nay be acq uj red nom practice of the invention. 

For example, systems and methods have been described with regard to network-level devices. In 

ther inn n ions, tin 1 id medio i cn <> r_ e ma e , viii stan 
alone device at the input or output of a network link or at other p rotocol levels, such as in ..mail 
relay hosts (e.g.. Simple Mail Transfer Protocol. j'SMTP) servers). 

1 1 v ■ t t Li i ' .0 h ie^ard to the flowcharts of FIGS. 5-7, the order of 

the acts ma\ j c the invention. In 

addition, non-dependent, acts may be performed concurrently. 
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| ii < jmj ions oft ntur i *_j i crib \< | ok tl <* etj >rms v >i 

mote: fun i l oyic mas mciu.de ".tni* a-i i pecific integrated 

circuit or a field pr og; a in n , i i- d so ft v\ ate 

No element, act, or instruction used in the description of me.{>i.tsei i <tp\ -,k it ion should be 
construed as critical or essential to the invention unless explicitly described as such. Also., as 
used herein , the articl e "a" is intended to include one or more item s. Where only one item is 
intended, the term "one" or similar lang ua ge is used. The scope of the invention is defined by the 
claims and their equivalents. 
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